Subnetting and Masks: Separating IPv4 Addresses for Security and Routing
Everything you ever wanted to know about subnetting and masks, also a few things you didn’t want to know, too.
Some of you have probably heard of the term subnetting and some of you may even know what it is. There are statistics that show if you have heard of subnetting, then there is a larger-than-not chance that you also have no life.
This post will assume that you have not heard of subnetting and have no idea what it is (and that you lead a rich and fulfilling existence). This concept will include certain things like IP addresses and binary math but the general philosophy behind subnetting is based in security (through separation) and displays how necessary subnetting and masking is for IPv4 networking.
The term subnet and subnetting is sort of a generic term that encapsulates breaking the entire IP addressing scope into smaller divisions. To understand subnetting, we have to take a step back and understand IP addressing, binary math and the scope of the whole thing.
Finally, an IP Address Explanation
Most people have heard of an IP address. In a sense, it is similar to a physical address (not a MAC address, a different topic for another time) that one may have associated a house or a business with. If you wanted to send something (or navigate) to a house or business, knowing the address is a good first step. There is not much difference between that and an IP address.
Every networked computer/appliance will have an IP address associated with it. Many of the IP addresses that most people are familiar with are private IP addresses. Public addresses (with DNS) are what enables us to surf the web for untold wonders and cat videos. Private addressing allows us to communicate with computers within a particular private subnet, typically for file sharing, providing services (Local mail server or print server), LAN gaming, etc.
In terms of private subnets, going back to the physical address analogy, imagine a company having a PO Box that receives all of the mail for all of their employees. If you wanted to send a package to John Doe at that company, you would address it to John Doe and provide his PO Box number. Then, someone from the company would gather the package and deliver it to John Doe. You might not know where John Doe’s office or location is, you just know that sending a package addressed to John Doe with the PO Box will get the package to a point in which it will be distributed to John Doe. As such, a gateway would receive all traffic for all of its hosts and then distribute it to those hosts with PAT (Port Address Translation), which is sometimes referred to as NAT (Network Address Translation).
Dissecting an IP Address
IPv4 Addresses consist of 4 x octets separated by a dot (.) Why are they called octets? Because each valid number can be represented by 8 x bits. Here is where we start with a little binary math. A binary number will consist of either a 0 or a 1. So, 28 = 256. If we subtract 1, because 0 is a valid number here, then we are left with 255. Each octet can represent a number between 0 and 255. Here’s quick crash course on how binary math works:
Binary
(0 or 1) |
0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Decimal
Equivalent |
128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
Let the number up top represent the binary number (either 1 or 0) and the numbers below represent its decimal or base 10 (the number base system we are all familiar with and taught from an early age). If the binary number above is a ‘1’, then you simply add up the corresponding base 10 number to get the binary number’s base 10 value. Any number can be represented in binary with enough bits.
Examples:
Decimal | 8 Bit Binary | Binary |
2 | 0 0 0 0 0 0 1 0 | 10 |
37 | 0 0 1 0 0 1 0 1 | 100101 |
98 | 0 1 1 0 0 0 1 0 | 1100010 |
200 | 1 1 0 0 1 0 0 0 | 11001000 |
255 | 1 1 1 1 1 1 1 1 | 11111111 |
(There is a ‘joke’ that goes, ‘There are 10 kinds of people in the world: those who understand binary and those who don’t.’ Get it? Even if it doesn’t get a laugh, you should get it, now.)
There are some special rules, which will be discussed later, but the general idea is that an IP address cannot contain an octet that is outside of 0-255. So, something that looks like 192.168.1.300 would not be valid, nor would something like -192.168.-1.100. Technically, 0.0.0.0 and 255.255.255.255 fits the rules but you would never see anything assigned with those addresses. They are used for something else.
If we need to go beyond the number 255 (which, you never will for an IPv4 octet), then you would just add another bit. The ninth bit would be 256.
So, a typical IP address can be represented in binary and would look like:
Decimal | Binary |
192.168.1.100 | 11000000.10101000.00000001.01100100 |
Subnetting and Masks
Now, if we were to go through every possible IP address, it would looks something like 0.0.0.0, 0.0.0.1, 0.0.0.2….. If we were to accumulate the total number of IPv4 addresses it would look something like 28 * 28 * 28 * 28 = 232 = 4,294,967,296. Sound like a lot of IP addresses? It is but we are running out of public addresses. That is why there is a (delayed) push to migrate to IPv6 which is
2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456. There would likely never be a threat to run out of addresses from that number which is labeled 340 undecillion.
On smaller implementations (think small business/home use), our subnets are nice and clean. But, the subnets aren’t always nice and clean and it can help to break up addresses into subnets with just enough IP addresses. Confused? Understood. It will all be cleared up a bit next.
Now, we may have 20 computers that we want to have direct communication with each other. We could break up some of those potential IP addresses and say that they can talk to each other without restriction but communication to any other address needs to go through some other process/filter to communicate. This is where we can use subnetting. Subnetting can break up this entire addressing scope into smaller networks.
In order to define the scope of these smaller networks, we can utilize something called a subnet mask. Once again, you may or may not have seen subnet masks before but you likely have. They are often coupled with IP addresses. Subnet masks help define which part of the IP address defines the subnet and which part of the IP address defines the host (end user) portion. Let’s use a likely familiar IP scheme to understand it a little better. Consider the IP address (top) and subnet mask (middle) below:
IP Address | 192 | . | 168 | . | 1 | . | 100 |
Subnet Mask | 255 | . | 255 | . | 255 | . | 0 |
Subnet Mask (in Binary) | 11111111 | . | 11111111 | . | 11111111 | . | 00000000 |
Going from left to right, the alignment will go from subnetwork definition to host definition where anything in the binary representation with a ‘1’ would define the subnetwork and anything with a ‘0’ would represent the host. What does this mean? This means that this IP address is in the subnet = 192.168.1.0 with subnet mask = 255.255.255.0. Shorthand (AKA CIDR, Classless Inter-Domain Routing), this can be written 192.168.1.0 /24 where the ‘/24’ represents the number of subnetwork bits active in the mask.
A Few Quick Rules About Subnet Masks
Active network bits have to be consecutive across all octets
Valid subnet mask:
11111111 | . | 11110000 | . | 00000000 | . | 00000000 | Equals: 255.240.0.0 and is valid and can shorthanded as ‘/12’ because there are 12 active subnetwork bits (1s) |
11111111 | . | 11111111 | . | 11111111 | . | 10000000 | Equals: 255.255.255.128 and is valid and can shorthanded as ‘/25’ because there are 25 active subnetwork bits (1s) |
10000000 | . | 00000000 | . | 00000000 | . | 00000000 | Equals: 128.0.0.0 and is valid and can shorthanded as ‘/1’ because there is 1 active subnetwork bit |
Invalid subnet masks:
11111111 | . | 11101000 | . | 00000000 | . | 00000000 | Equals: 255.232.0.0 and is invalid. All the active subnetwork bits (across all octets) are not consecutive. |
11111111 | . | 11111111 | . | 00000000 | . | 00000001 | Equals: 255.255.0.1 and is invalid. All the active subnetwork bits (across all octets) are not consecutive. |
11111111 | . | 00000000 | . | 11111111 | . | 00000000 | Equals: 255.0.255.0 and is invalid. All the active subnetwork bits (across all octets) are not consecutive. |
Due to this, the only real valid numbers for a subnet mask are:
00000000 | 10000000 | 11000000 | 11100000 | 11110000 | 11111000 | 11111100 | 11111110 | 11111111 |
0 | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
The first IP address in a subnet is used to define the subnet that an IP address is in. For example, the IP address that is 192.168.1.100 /24 is said to be in the subnet = 192.168.1.0 /24
That subnet definition cannot be assigned to a host machine.
The last IP address in a subnet is used as a broadcast address
- Broadcast addresses can be used to send communication to all host machines in a subnet
- It is often used for networking/security purposes
- That broadcast address cannot be assigned to a host machine
When defining the amount of usable host machines in a subnet, we must always subtract 2: 1 x for the subnet definition and 1 x for the broadcast definition.
So, What Exactly Does This Mean?
As mentioned earlier, the IP address = 192.168.1.100 /24 is part of the 192.168.1.0 /24 subnet. So, any other machine can have an IP address in that subnet, with its own unique host number and it would be in that subnet and can communicate to another machine in that subnet without the need for a router (gateway). So, a machine that has an IP address that is 192.168.1.200 /24 would be in the same subnet. And because the subnet mask is /24, that means that the entire last octet can be used to define host machine – 28 = 256 – 2 = 254 usable addresses. (Remember, we subtracted 2 because 1 x is used to define the subnet and 1x is used to define the broadcast IP). IPs in that subnet could be assigned to a gateway (each subnet needs a gateway if it will communicate outside of its subnet, maybe a local DNS, and any other machine/host in that subnetwork).
So, what if our subnet masks aren’t so “clean” meaning that the entire octet, or trailing, consecutive octets, are fully available for host designation? The general math to figure out how many usable hosts is as such:
(2h1 * 2h2 * 2h3 * 2h4) -2 where each h is the amount of host bits per octet. Huh? Examples, here we go!
Example 1:
Subnet Mask | 255 | . | 255 | . | 255 | . | 0 | |
Subnet Mask (in binary) | 11111111 | . | 11111111 | . | 11111111 | . | 00000000 | |
Usable Hosts | 20 | * | 20 | * | 20 | * | 28 | = 1 * 1 * 1 * 256 = 256 -2 = 254 |
Example of network definition IP | 10 | . | 10 | . | 10 | . | 0 | |
Example of Broadcast definition IP | 10 | . | 10 | . | 10 | . | 255 | |
Example of usable host IPs in the same subnet using that mask | 10.10.10.145 | 10.10.10.254 | 10.10.10.4 |
Example 2:
Subnet Mask | 255 | . | 255 | . | 0 | . | 0 | |
Subnet Mask (in binary) | 11111111 | . | 11111111 | . | 00000000 | . | 00000000 | |
Usable Hosts | 20 | * | 20 | * | 28 | * | 28 | = 1 * 1 * 256 * 256 = 65,536 -2 = 65,534 |
Example of network definition IP | 172 | . | 16 | . | 0 | . | 0 | |
Example of Broadcast definition IP | 172 | . | 16 | . | 255 | . | 255 | |
Example of usable host IPs in the same subnet using that mask | 172.16.54.255 | 172.16.147.34 | 172.16.255.254 |
Example 3:
Subnet Mask | 255 | . | 255 | . | 224 | . | 0 | |
Subnet Mask (in binary) | 11111111 | . | 11111111 | . | 11100000 | . | 00000000 | |
Usable Hosts | 20 | * | 20 | * | 25 | * | 28 | = 1 * 1 * 32 * 256 = 8,192 -2 = 8,190 |
Example of network definition IP | 192 | . | 168 | . | 32 | . | 0 | |
Example of Broadcast definition IP | 192 | . | 168 | . | 63 | . | 255 | |
Example of usable host IPs in the same subnet using that mask | 192.168.47.128 | 192.168.50.228 | 192.168.63.254 |
Example 4:
Subnet Mask | 255 | . | 255 | . | 255 | . | 192 | |
Subnet Mask (in binary) | 11111111 | . | 11111111 | . | 11111111 | . | 11000000 | |
Usable Hosts | 20 | * | 20 | * | 20 | * | 26 | = 1 * 1 * 1 * 64 = 64 -2 = 62 |
Example of network definition IP | 192 | . | 168 | . | 32 | . | 0 | |
Example of Broadcast definition IP | 192 | . | 168 | . | 32 | . | 63 | |
Example of usable host IPs in the same subnet using that mask | 192.168.32.1 | 192.168.32.35 | 192.168.32.60 |
What Else With This?
A few things to point out:
- We often see the subnet masks as “clean”, typically a /24, because that accommodates most networks and is just easier to work with. We may see something like /23 which would basically double the amount of usable hosts.
- Example 2 above, has 65,534 usable hosts. That is a big freakin’ subnet. You don’t see this utilized too often where the hosts will be mostly used but there certainly could be applications.
- As mentioned in a previous article, any host that wants to communicate to a host in another subnet needs a router. Inter-subnet communication only requires switching.
- In example 4, the example IP of 192.168.32.35 is in a different subnet than 192.168.32.67. If 2 x hosts with these IP addresses need to communicate, there would be a need for a router (gateway).
- What about a subnet mask of 255.255.255.254? Let’s look at the math:
Subnet Mask | 255 | . | 255 | . | 255 | . | 254 | |
Subnet Mask in binary | 11111111 | . | 11111111 | . | 11111111 | . | 11111110 | |
Usable Hosts | 20 | * | 20 | * | 20 | * | 21 | = 1 * 1 * 1 * 2 = 2 – 2 = 0 |
- Zero usable hosts?! Yeah, no good. You won’t see this as a subnet mask except in point to point links for WAN interface which uses no broadcast IP. As far as I know, it is not commonly used.
- Classful subnetting can classify certain IP address into classes. Here is a good example of how the classes are broken up
- DHCP (Dynamic Host Configuration Protocol) is our friend in most cases. It assigns IP addresses, subnet masks, gateway addresses and DNS for hosts that are calling for it. How does a host initiate requests for DHCP? Through a network broadcast! The DHCP server, whether router, firewall, Raspberry Pie or actual server tower, is listening for the broadcast. The host is all like, “Yo, I need an IP address so I can YouTube cat videos. Who can help?” and the DHCP server is all like, “Oh yeah! I can help you there. Pass me your MAC address and Ill pass back the network info.” DHCP is best for machines that can join and leave a network dynamically. Such as, cell phones, laptops, etc.
- Static addressing is also our friend. While MAC binding is an option for DHCP, sometimes setting a good ol’ fashion static IP address for certain hosts will guarantee that IP address will not change. They are good for servers, particularly DNS but not exclusive to that.
There is a lot more to this and we will examine other aspects of networking in the future. Based off of this article, there is no need to scrutinize but stay safe and happy scrutinizing anyway!
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown